The Ransomware Survival Guide

The Ransomware Survival Guide

According to the New York Times, a widespread ransomware attack that rooted in Europe has made its way to the States. The strain Kapersky coined “NotPetya” reportedly bulldozed its way into some of the nation’s most prominent healthcare organizations. In the U.S., it affected pharmaceutical giant Merck. NotPetya exhibits traits similar to the original Petya (hence the name) as well as the infamous WannaCry ransomware that recently infected more than 200,000 computers across the globe. The aforementioned attack took hold of almost 2,000 systems.

The promise of a fast and easy payday has helped ransomware become a worldwide epidemic. There appears to be no end in sight. But adopting a survivalist mentality can dramatically reduce your exposure to this rapidly growing threat.

What Makes Ransomware Tick?

Ransomware is a very intriguing animal. It’s a seemingly unstoppable threat that uses encryption, one of the most reliable security technologies, as its primary weapon. In its simplest form, the malware installs itself on the targeted system via common distribution channels. It encrypts core system files, then holds the data hostage until a ransom is paid. But it doesn’t stop there. Ransomware is rapidly evolving in both numbers and capabilities.

Now keep in mind that the data varies depending on the source cited, but Carbon Black reports that ransomware grew by 50 percent from 2015 to 2016, making it the fastest growing form of malware by far. The average ransom fee has also climbed to nearly $1100, up from the near $300 calculated for the previous year. A thriving black market exists today that basically provides DIY ransomware kits for pennies on the dollar. This explains the non-stop roll out of new threats. End users often lack awareness, which is why ransomware has become alarmingly more effective.

Beyond the sophisticated weaponry is a harsh truth that makes ransomware and cyber crime in general virtually impossible to thwart. The ungovernable Bitcoin economy has given hackers an ideal way to manage transactions. They can collect payments, transfer funds, and move on to the next target with little to no trace. They will use VPNs and botnets that remotely control thousands of zombie computers – to remain anonymous. It’s a business model is carved out of pure brilliance.

Why Backup is the Key

A band of cyber thieves hijacks your files and demands you pay a handsome ransom to get them back. Sounds like a disastrous situation to me. Luckily you have your backup plan, because it’s your best weapon in the fight against ransomware. If push comes to shove, you can restore your data from backups and avoid paying the ransom. Here’s a few tips for ransomware protection and recovery.

Create a regular backup schedule: In order to truly minimize the sting of a ransomware attack, you must back up your mission-critical data on a regular basis. If you store data in the cloud, make sure you have another copy somewhere offline. If you have backups stored on disks in your data center, keep extra copies somewhere offsite. Your data is always changing, so a regular backup schedule will allow you to restore the most up to data version.

Test your backups: The last thing you want to do is fire up your backups in an emergency situation only to find that they fail. Get into the habit of periodically testing your backup copies to make sure you can reliably restore data. This applies to NAS devices, cloud servers, thumb drives, and any other storage medium that holds precious data.

Get granular with recovery: Some ransomware strains lock up your entire OS, but others only encrypt select files. Since you never know what will be targeted in an attack, having granular recovery options will come in handy. Whether it’s at the file level or object level, organizations need a comprehensive solution. Restoring data saved a couple hours ago should be as easy as recovering last night’s full backup.

Taking Administrative Action

Neutralizing ransomware starts at the top. Guided by their trusty team of business continuity managers and system administrators, organizations can lay down sturdy roadblocks that stop the threat dead in its tracks.

Educate and train employees: While ransomware is certainly a unique type of attack, it gets around just like most other malicious software. If prevention is the best form of protection, then you might say relying on such a primitive distribution method is its biggest flaw. You need to train employees on how to avoid malware and also understand the repercussions of a successful ransomware exploit.

Restrict administrative control: Ransomware villains like the original Petya require root privileges in order to compromise the targeted system. By acting as the administrator, this particular variant is able to overwrite the master boot record and swap it out for malicious code … then it’s all downhill from there. The good thing is this type of ransomware can be neutered by simply restricting administrative access in your configuration settings.

Commit to patch management: The NotPetya strain wrecking havoc across the globe was able to make its mark by exploiting a bug in Windows. Make sure you regularly update your systems and apply any new patches. This simple strategy gives ransomware one less door to sneak in.

Simple Security Practices That Work

By the time ransomware is installed on your system, it’s already too late. You either hit the reset button with a fresh restore, or pay the piper. Luckily there are a few security features and strategies you can employ to keep the money hungry hackers at bay.

Use email filtering: This reduces the number of potentially malicious emails coming your way. The spam filters of the AOL and Yahoo Mails of the world are hit or miss. Businesses will have better luck with enterprise-grade solutions. These will use techniques such as blacklisting, whitelisting, and user-based email analytics to balance the filtering of spam and legitimate mail.

Scan attachments: If email is the vehicle that drives it, then the attachment is the cargo you open to unknowingly unload the malware on your system. A lot of enterprise spam filters have scanning functions that allow you to check your messages for potential threats. Whether it’s built into your spam filter or anti-malware software, put those scanning capabilities to use before opening any email attachments.

Block attachments: Blocking select attachments is one of the most effective ways to stop ransomware at the gate. The system may prevent users from opening .exe, .com, .bat, .js, .docx, and other file types commonly associated with malware. Because this method could also restrict access to legit files you actually need, it might be a good idea to designate a separate server, such as the cloud, for exclusively handling blocked file types.

Preach safe surfing: Like malware in general, ransomware distribution is not limited to email. This type of infection can be spread by visiting rogue websites, downloading free software, and even connecting infected USB drives to your system. A computer security training program that covers all the basics of responsible web browsing can make a world of difference when it comes to staying protected.

Advanced Ransomware Protection

The alarming effectiveness of ransomware is directly tied to conventional security tools and their inability to keep up. With a few alterations, a common variant your antivirus software would’ve been able to detect a week ago could become an all new threat with zero-day impact. This simple trick enables malware authors to keep production rolling as they crank out ransomware that is practically undetectable to signature-based security solutions.

Advances in ransomware have led to a need for more advanced protection. One approach that shows tremendous promise is built around sandboxing technology. A sandbox creates a virtual environment that isolates and prevents malware from tampering with data on your system. While ransomware can still encrypt files within the isolated container, all files outside of the sandbox remain protected. There are also behavioral-based security solutions that trick ransomware into believing it is forever trapped.

Responding to Ransomware

How you respond to a ransomware infection goes a long way in minimizing the damage. In the event that an attack happens to slip through the cracks, the following steps will help you mitigate the issue in timely fashion.

Isolate the threat: The typical ransomware strain wants to propagate and spread itself to as many hosts as possible. You can minimize its reach by immediately disconnecting the infected machine from all other devices on the network. This goes for wired and wireless connections as well as any backups connected to external storage media.

Analyze the threat: You can lean a lot from the error messages, instructions, and output that follows a successful ransomware attack. If possible, get a screenshot of what’s in front of you so security personnel can go to work. Proper threat analysis can help you identify the attack vector, pinpoint the location of compromised files, and even come up with solutions for decrypting your data.

Identify the source: Ransomware infections originate from a number of attack vectors. Maybe it was a cleverly crafted phishing email or Trojan bundled with a program an employee downloaded. Identifying the source can help your security response team better understand the attack and more importantly, prevent exploits in the near future.

Mitigate the threat: This is where your disaster recovery prowess comes into play. If you’re restoring from clean backups, then you should be back up and running with little delay. However, you may encounter potential issues if you elect to pay the ransom. Sure, you got your files back, but that doesn’t necessarily mean you’re in the clear. If eradication is the plan, you need to be overly diligent in combing your system to be certain that the threat has been completely eliminated.

Report the attack: Ransomware victims should report all incidents to the proper authorities. For example, U.S. victims can submit details of an attack to the FBI’s Internet Crime Complaint Center. Filing a complaint probably won’t accomplish much in the way of tracking down criminals or recovering your data any faster. However, it could lead to more accurate reporting, which in turn, increases ransomware awareness and hopefully puts more organizations and end users on alert.

Recovery Zone Subscription

Related articles:

About the Recovery Zone

This online digest is dedicated to exploring BDR solutions and technology relevant to MSPs, VARs, and IT professionals.

The Recovery Zone is brought to you by StorageCraft, a company that has been producing software solutions for backup, disaster recovery, system migration, virtualization, and data protection for servers, desktops, and laptops since 2003.